Departing Personnel: Discussion Framework

Presented at RSA Conference USA 2016

The RSA USA Conference for 2016, set in San Francisco, is only a week away. At the conference I will be facilitating a Peer-to-Peer session, scheduled for Thursday, March 3, 2016, starting at 2:10 pm, in Moscone West Room 2021, and titled:

Saying Goodbye: Managing Security for Departing Personnel  (Session ID P2P3-R08)

This blog post, and others this week, will address this topic in more detail, to provide a preview of some of those issues I hope the group will consider and discuss.

Personnel departures are a daily occurrence for large organizations, and are also not uncommon on a regular basis for small and medium-sized organizations. I use the term “organization” to mean both companies and other types of organizations, such as government and NGO’s, Non-Governmental Organizations. These NGO’s can be both for-profit and non-profit. In short, all organizations face personnel departures.

Most often we think of those leaving as former employees, but departures of other categories of people can be even more common: contractors hired by the business; interns gaining experience; guest workers who arrived from another company or division; and even visitors who come for a day or a week or longer, who are meeting, inspecting or just visiting.

There are two distinct types of departures: individuals who leave and groups who leave.

Individuals can depart under various circumstances, voluntary resignations; terminations (often involuntary); contractors leaving at the end of their contract; interns leaving at the end of their internships; visitors leaving at the end of their visits.

Group departures include organizational re-organizations; spin-offs of portions of the organization to other organizations; outsourcing of organizational functions; group contractors; and outright sales of the organization or portions of it. Group departures often involve many of the types of individual departures.

Constructing a framework for understanding, planning and management for these various types of personnel departures requires first the gathering of a team of stakeholders all consistently involved with departures. Typical members on this team include representatives from Human Resources, Legal, IT (and IT Security), Payroll, Facilities, and Physical Security.

Next, representatives of this group complete a detailed review of existing policies and processes, sometimes called “off-boarding”, used to conduct these departures. The framework must accommodate differences for the different types of individual and group departures. Policy and process re-design or re-engineering follows. Most organizations use some existing policy and process design methodologies. Supported by policy, a good set of processes links HR, IT and the other stakeholders to ensure personnel access ton information system, networks, application and physical locations is disabled.

Like other organizational processes, departure processes, anchored by policies, require orientation, training, exercise, controls, controls monitoring, good communications, and incident response. They also require regular, scheduled review and update.

In my next blog post I will discuss specific issues to consider for personnel departures.